amphp/http-client 通过 HTTP/2 CONTINUATION 帧拒绝服务
CVE编号
N/A利用情况
暂无补丁情况
N/A披露时间
2024-04-04漏洞描述
Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client (v4.1.0-rc1 and up) depend on amphp/http for HTTP/2 processing and will therefore need an updated version of amphp/http, see GHSA-qjfw-cvjf-f4fm.解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接 |
|
|---|---|
| https://github.com/advisories/GHSA-w8gf-g2vq-j2f4 |
- 攻击路径 N/A
- 攻击复杂度 N/A
- 权限要求 N/A
- 影响范围 N/A
- 用户交互 N/A
- 可用性 N/A
- 保密性 N/A
- 完整性 N/A
| CWE-ID | 漏洞类型 |
| CWE-770 | 不加限制或调节的资源分配 |
| CWE-789 | 未经控制的内存分配 |
Exp相关链接
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论